CVE-2023-34089

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.7.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*
cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*

History

21 Nov 2024, 08:06

Type Values Removed Values Added
References () https://github.com/decidim/decidim/releases/tag/v0.26.6 - Release Notes () https://github.com/decidim/decidim/releases/tag/v0.26.6 - Release Notes
References () https://github.com/decidim/decidim/releases/tag/v0.27.3 - Release Notes () https://github.com/decidim/decidim/releases/tag/v0.27.3 - Release Notes
References () https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9 - Third Party Advisory () https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9 - Third Party Advisory
CVSS v2 : unknown
v3 : 6.1
v2 : unknown
v3 : 8.1

21 Jul 2023, 17:16

Type Values Removed Values Added
References (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.3 - Patch, Third Party Advisory (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.3 - Release Notes
References (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.6 - Patch, Third Party Advisory (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.6 - Release Notes

19 Jul 2023, 21:15

Type Values Removed Values Added
Summary Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.6. Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.7.

19 Jul 2023, 00:48

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
References (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.6 - (MISC) https://github.com/decidim/decidim/releases/tag/v0.26.6 - Patch, Third Party Advisory
References (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.3 - (MISC) https://github.com/decidim/decidim/releases/tag/v0.27.3 - Patch, Third Party Advisory
References (MISC) https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9 - (MISC) https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9 - Third Party Advisory
CPE cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*
First Time Decidim decidim
Decidim

11 Jul 2023, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-11 18:15

Updated : 2024-11-21 08:06


NVD link : CVE-2023-34089

Mitre link : CVE-2023-34089

CVE.ORG link : CVE-2023-34089


JSON object : View

Products Affected

decidim

  • decidim
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')